svn rev #21712: trunk/src/ include/ kdc/

Tue Jan 6 17:32:31 EST 2009

http://src.mit.edu/fisheye/changelog/krb5/?cs=21712
Commit By: hartmans
Log Message:
Patch from Luke Howard
to make an explicit call to check the ACL for s4u delegations rather than relying on tl-data.


Changed Files:
U   trunk/src/include/kdb_ext.h
U   trunk/src/kdc/kdc_util.c
Modified: trunk/src/include/kdb_ext.h
===================================================================

--- trunk/src/include/kdb_ext.h	2009-01-06 21:48:24 UTC (rev 21711)
+++ trunk/src/include/kdb_ext.h	2009-01-06 22:32:30 UTC (rev 21712)
@@ -90,7 +90,7 @@
 #define KRB5_KDB_METHOD_AUDIT_AS			0x00000050
 #define KRB5_KDB_METHOD_AUDIT_TGS			0x00000060
 #define KRB5_KDB_METHOD_REFRESH_POLICY			0x00000070
-#define KRB5_KDB_METHOD_GET_PAC_PRINC			0x00000080
+#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE	0x00000080
 
 typedef struct _kdb_sign_auth_data_req {
     krb5_magic magic;
@@ -162,4 +162,10 @@
     krb5_error_code error_code;
 } kdb_audit_tgs_req;
 
+typedef struct _kdb_check_allowed_to_delegate_req {
+    krb5_magic magic;
+    const krb5_db_entry *server;
+    krb5_const_principal proxy;
+} kdb_check_allowed_to_delegate_req;
+
 #endif /* KRB5_KDB5_EXT__ */

Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c	2009-01-06 21:48:24 UTC (rev 21711)
+++ trunk/src/kdc/kdc_util.c	2009-01-06 22:32:30 UTC (rev 21712)
@@ -1971,61 +1971,46 @@
     return 0;
 }
 
-static krb5_boolean
-check_constrained_delegation_acl(krb5_context context,
-				 krb5_tl_data *tl_data,
-				 krb5_const_principal spn)
-{
-    krb5_principal acl;
-    krb5_boolean ret;
-
-    assert(tl_data->tl_data_contents[tl_data->tl_data_length] == '\0');
-
-    if (krb5_parse_name_flags(context,
-			      (char *)tl_data->tl_data_contents,
-			      KRB5_PRINCIPAL_PARSE_NO_REALM,
-			      &acl) != 0)
-	return FALSE;
-
-    ret = krb5_principal_compare_flags(context, acl, spn, KRB5_PRINCIPAL_COMPARE_IGNORE_REALM);
-
-    krb5_free_principal(context, acl);
-
-    return ret;
-}
-
 static krb5_error_code
 check_allowed_to_delegate_to(krb5_context context,
 			     const krb5_db_entry *server,
 			     krb5_const_principal proxy)
 {
-    krb5_tl_data		*tl_data;
-    krb5_boolean		allowed = FALSE;
+    kdb_check_allowed_to_delegate_req   req;
+    krb5_data			req_data;
+    krb5_data			rep_data;
+    krb5_error_code		code;
 
     /* Can't get a TGT (otherwise it would be unconstrained delegation) */
     if (krb5_is_tgs_principal(proxy)) {
 	return KRB5KDC_ERR_POLICY;
     }
 
-    /* Must be in same realm -- ACLs are non-qualified SPNs */
-    if (!krb5_realm_compare(kdc_context, server->princ, proxy)) {
+    /* Must be in same realm */
+    if (!krb5_realm_compare(context, server->princ, proxy)) {
 	return KRB5_IN_TKT_REALM_MISMATCH; /* XXX */
     }
 
-    for (tl_data = server->tl_data; tl_data != NULL; tl_data = tl_data->tl_data_next) {
-        if (tl_data->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) {
-	    if (check_constrained_delegation_acl(context, tl_data, proxy)) {
-		allowed = TRUE;
-		break;
-	    }
-        }
-    }
+    req.server = server;
+    req.proxy = proxy;
 
-    if (allowed == FALSE) {
-	return KRB5KDC_ERR_POLICY;
+    req_data.data = (void *)&req;
+    req_data.length = sizeof(req);
+
+    rep_data.data = NULL;
+    rep_data.length = 0;
+
+    code = krb5_db_invoke(context,
+			  KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE,
+			  &req_data,
+			  &rep_data);
+    if (code == KRB5_KDB_DBTYPE_NOSUP) {
+	code = KRB5KDC_ERR_POLICY;
     }
 
-    return 0;
+    assert(rep_data.length == 0);
+
+    return code;
 }
 
 krb5_error_code


